|Applies To||RSA Security Analytics|
RSA Security Analytics 10.3.1
RSA Security Analytics 10.3.2
RSA Security Analytics 10.3.3
RSA Security Analytics Decoder
|Issue||The App Rules "Alert On" drop down menu is missing multiple meta keys on RSA Security Analytics decoders.|
When clicking on the Alert On drop down when creating an application rule on a decoder, only some of the meta keys appear and others do not. (See Figure 1)
Restarting the nwdecoder service temporarily resolves the issue but only for a short time before the issue returns.
Performing an SDK Language Query via the REST API (navigating to the URL http://<decoder_ip_address>:50104/sdk?msg=language&force-content-type=text/html&expiry=600&size=1677720) displays the missing meta keys only after restarting the nwdecoder service. (See Figure 2)
|Cause||The root cause of this issue is a bug in the product could which causes the improper merging of language tokens, essentially resulting a merging issue of the language tokens derived from parsers and the index configuration. Because of this, the decoder returns incomplete language responses at times.|
A permanent fix for this issue has been implemented in Security Analytics 10.3 SP4, as well as in Security Analytics 10.4.
Alternatively, as a workaround in Security Analytics 10.3 SP3 and below, you may add the missing meta to the index-decoder-custom.xml file on the appliance and restart the nwdecoder service to allow the meta keys to display appropriately.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
Figure 1: Missing meta keys in the Alert On drop down menu when creating an application rule.
Figure 2: Performing an SDK Language Query only shows the missing meta keys after restarting teh nwdecoder service.
|Legacy Article ID||a66226|